Virtual Private Networks – In-depth Technical Details

Created: June 11, 2013,  
The Author: Mufaddal Makati
Last Updated: February 13, 2014

Introduction

This article is about Virtual Private Networks. Although you may find a lot many articles and videos on this specific topic, I found that none of them, actually explained the underlying phenomenon that all the VPN protocols uses and how a Virtual Private Network actually works. Most fail to explain how we manage to achieve connectivity of private networks over the public infrastructure through tunneling. Also there is no detailed explanation on what technically a tunnel is. They reason for not providing such in-depth technical guidance on VPN might be that those articles focus on end users of VPN who don’t care much about how a Virtual Private Network works. So they focus much on basic introduction, what a Virtual Private Network is and why and who uses it. Most articles are provided by the VPN vendors and VPN product companies that focuses mainly on how their product works and how can we configure them for VPN connectivity.

In this article I will try to explain VPN from a completely technical perspective. Particularly for those that wish to design and develop their own VPN protocols and also implement existing VPN technologies. I will explain what a tunnel is in VPN. I will also be focusing on various scenarios of using VPNs and how we use virtual network adapters for tunneling.

Definition and Why Virtual Private Network?

site to site VPN

site to site VPN


Virtual Private Network is a network virtualization technique used to simulate a traditional private line experience used by an enterprise to securely connect two or more branches or a remote user with a branch office, but with much lesser cost and freedom that a private line provides, all because VPN uses the public internet infrastructure.

So why do we need to use VPN? Maybe to connect two branches of a company or a remote user with the office branch? Not exactly. They are already connected if they are connected to the internet. VPN is all about isolating the networks and disallowing unwanted users from accessing the network behind the VPN. So even though we use public infrastructure (to save money) we finally found a way to simulate a private leased line experience through a VPN. So in a way VPN is about security, authentication and authorization of the data that goes through the internet.

To be more technical we can say that VPN allows two or more networks that uses the private range of IP addresses (e.g. 10.10.10.0/24 and 10.10.11.0/24) to communicate over the internet as if it were in the same premises separated by a local router. Or it can even extend a private network beyond the campus and extend it over the internet to another branch seamlessly and transparently. And with all these communication we add a layer of security to make it absolutely private.

Some VPN scenarios and Basics

Before we dive deep inside first let’s look at what our goals are and what are we trying to achieve through a VPN.

1)      Site to Site – We want to be able to have transparent communication between two different private networks over the internet. E.g. we have a 172.20.20.0/24 network in branch A and 192.168.10.0/24 network in branch B, a device in branch A with IP 172.20.20.5 must be able to receive successful ping replies from a device in branch B with IP say, 192.168.10.42.

2)      Remote User – A remote user connected to the internet will have a private IP (if behind a NAT) or public IP. He must be able to communicate with any device in his company’s network (which is a private network e.g. 10.1.3.0/16).

remote user VPN

Remote User VPN

3)      Peer to Peer – We might also need to create a private network between devices or users on the internet. For e.g. let’s assume we have a few users that are connected through the internet and they wish to come under a private network range like 10.1.1.0/24 and communicate using that private network.

4)      Secure Browsing – We might also want, as a home user, to channel all our internet traffic via a VPN gateway and return through the same path in a secure manner.

peer to peer VPN

Peer to Peer VPN

5)      Virtual Private LAN services – VPLS is a VPN technology which simulates the exact Ethernet network in a company, beyond the company premises i.e. extends Ethernet over WAN. What this means is that with this we would be able to extend our private network over the internet to other branches. E.g. we have a network 192.168.1.0/24 where some devices (192.168.1.1-70) are in branch 1, other few devices (192.168.1.71-150) are in branch 2 and the rest are in branch 3. The important thing here is that they would all be in the same broadcast domain.

So depending on our need and circumstances we might use a Virtual Private Network to implement one or more of these goals. So the primary way we do this is through tunneling.

What is a tunnel in VPN?

We all know encapsulation in networking. Weather you consider the OSI model or the TCP/IP model, we all grew up learning about how we use encapsulation in every layer of the forwarding plane. So if we put an additional layer of encapsulation on a packet at say layer 3 or layer 2 on one end and then remove that layer at the other end, we form a tunnel between the two endpoints. So tunneling simply means the original packet being encapsulated in a new header(s) and then sent from one device in the internet to another, while the reverse happens at the other end.

VPN tunnel

VPN Tunnel

Tunneling is a not just used in VPN, but in many places in the networking world. We generally use tunneling when we want to send a packet that is different and not recognized by the intermediate route nodes but used at the end nodes. Like the IPv6 tunneling in IPv4 etc. So tunneling basically means hiding the source packet inside other headers, due to security reasons or maybe because that packet is not able to travel along its path to the destination.

Virtual Network Adapter

virtual network interface

Virtual Network Interface

 To implement a tunnel we need a Virtual Network Adapter. A virtual network adapter is a network adapter completely in the software. It simulates a network interface. Although such an interface is virtual and does not exists physically, the application does not need to know the difference. For the application it is as good as a real one. In Linux we have the TUN/TAP drivers embedded in the kernel which we can call to create a virtual interface. In windows we need 3rd party drivers or loopback network adapters to do this job. In other networking devices like routers, we have loopback adapters that serve the same purpose.

Technical explanation on how a Virtual Private Network actually works

Now let’s put everything together and see how the VPN works and how the virtual traffic is tunneled and routed through the internet and between the VPN clients in various scenarios.

Site to Site VPN

For setting up a site to site VPN we need to setup VPN at the network gateways of the networks that needs to be connected through the VPN. Each of such gateway devices will have minimum of two physical network interfaces – one connected to the internal network and one to the external network (Internet). The gateway device does the job of routing the traffic between the internal network and the outside network. So in order to create a virtual network between them we will create a 3rd virtual network interface in the gateway device.

site to site VPN detail

Site to Site VPN detail

This is the configuration of the network –

Site 1-

Eth0- 202.54.34.58 – internet

Eth1- 192.168.1.1 – to the internal network (192.168.1.0/24)

Vif0- virtual network interface

VPN protocol listens eth0 at port number 500, vif0 using raw sockets (listens to all packets).

Site 2-

Eth0- 202.35.102.100 – internet

Eth1- 192.168.2.1 – to the internal network (192.168.2.0/24)

Vif0- virtual network interface

VPN protocol listens eth0 at port number 500, vif0 using raw sockets (listens to all packets).

Now consider a user from site 1 on a device inside the network with IP 192.168.1.10 wants to send a message to a user in site 2 with a device with IP address 192.168.2.14.

site to site VPN detail

Site to Site VPN detail

  • A packet will be generated on the sender’s device as usual and as the packet is destined to another network, it will be forwarded to the network gateway 192.168.1.1.
  • We have already setup and configured a VPN server on that device. So the gateway device will look at the destination and check its routing table where it will find that packets destined to 192.168.2.0/24 should be sent from vif0 interface.
  • Listening on the vif0 interface will be our VPN application that will receive that packet.
  • It will encrypt the packet, encapsulate with a custom VPN header (depending on what VPN protocol we use), and ship it out on eth0 with destination IP of site 2 (202.35.102.100) at port number 500.
  • The packet will arrive at site 2’s router. It will check that the packet is destined to itself at port 500. So it will forward the packet to the VPN server running in that device.
  • Now the VPN server will strip off the outer VPN header, decrypt the packet and check the IP header of that packet.
  • After finding out its destination address to be 192.168.2.14, it will send the packet out at eth1 where it will be finally be sent to the device 192.168.1.14.

The same process happens when this receiverdevice in site 2 now wants to reply to the sender device.

Remote User

To setup a VPN for a remote user, we will setup a VPN server at the company’s network gateway device. Any remote client that wants to connect to the company network must install a VPN client, compatible with the VPN server that the company has setup in its network gateway.

remote user VPN detail

Remote User VPN detail

This is the configuration of the network –

Site 1-

Eth0- 202.54.34.58 – internet

Eth1- 192.168.1.1 – to the internal network (192.168.1.0/24)

Vif0- virtual network interface

VPN protocol listens eth0 at port number 500, vif0 using raw sockets (listens to all packets).

Remote User-

Eth0- 202.35.102.100 – internet

Vif0- virtual network interface

VPN protocol listens eth0 at a random port number (a random port number is selected by the client on every session), vif0 using raw sockets (listens to all packets).

In order for the VPN client to communicate with the remote network, it first needs to establish a trust connection with the VPN server. The VPN client has all the details of the VPN server like its IP address and port number.

  • The VPN client tries to connect with the VPN server and goes through all the authentication and authorization mechanisms.
  • After passing all that, a session is created between the client and the server. The client gets a local IP address (say, 10.1.1.1) from the server to communicate with the network. The client chooses a random port number for communication e.g.3456
  • Now the client is good to send packets to any device in the internal network of its company. Say the client wants to send a message to a device in the remote network with IP address 192.168.1.14.
  • A packet will be generated on the client’s device as usual and as the packet is destined to the remote network, it will be forwarded to vif0 by the client’s routing table.
  • Then the VPN client application listening on vif0 will encrypt the packet, encapsulate with a custom VPN header (depending on what VPN protocol we use), and ship it out on eth0 with destination IP of VPN server (202.54.34.58) at port number 500.
  • The packet will arrive at company’s router. It will check that the packet is destined to itself at port 500. So it will forward the packet to the VPN server running in that device.
  • Now the VPN server will strip off the outer VPN header, decrypt the packet and check the IP header of that packet.
  • After finding out its destination address to be 192.168.2.14, it will send the packet out at eth1 where it will be finally be sent to the device 192.168.1.14.

Peer to Peer VPN

The setup for peer to peer VPN is fairly simple. All users that wish to create a private network for their use installs a P2P VPN application in their devices. They all need to agree upon a particular network address. Every member in the network must know about every other user’s external IP address.

peer to peer VPN detail

Peer to Peer VPN detail

This is the configuration of the network –

Network – 192.168.1.0/24

User 1- external IP – 202.32.67.122, virtual network IP – 192.168.1.10

User 2- external IP – 152.14.5.100, virtual network IP – 192.168.1.11

User 3- external IP – 162.155.75.12, virtual network IP – 192.168.1.12

User 4- external IP – 189.56.57.99, virtual network IP – 192.168.1.13

User 5- external IP – 99.10.10.163, virtual network IP – 192.168.1.14

Eth0 – internet, vif0 – virtual network

VPN protocol listens eth0 at port number 500, vif0 using raw sockets (listens to all packets).

We have 5 members scattered across in the internet who wants to communicate through a private network. So let’s say user 1 wants to talk to user 3 using the virtual network.

  • A packet will be generated in the user’s device and it will be destined to 192.168.1.12.
  • According to user 1’s routing table, such a packet needs to be forwarded through vif0 interface.
  • Vif0 will receive the packet, encrypt it and encapsulate it with a custom VPN header (depends on the protocol used), and ships it out through eth0 with the destination address of user 3’s external IP address (162.155.57.99) and port number 500.
  • User 3 will get the packet and see its destination port number and forward it to the VPN application that is listening on that port number.
  • The VPN application will receive it, remove the outer header, decrypt it and send it to the vif0.
  • From vif0 the OS kernel will find the destination address to be its own (192.168.1.12) and from there it will hand it over to the corresponding application expecting the packet.

The same process happens when user 3 wants to reply to the user 1.

Secure Browsing

Many times a user might want to have a secure web browsing maybe because the browsing is restricted by a firewall or ISP, or for other security purposes. In such cases we can use VPN to do secure, unrestricted internet access.

For that the user needs to contact a company that provides us with a secure VPN access. They have VPN servers hosted to which the user needs to connect via a corresponding VPN client. The internal mechanisms for such a kind of VPN access will be the same as remote access, with the only difference that the VPN client will forward all its internet traffic through the VPN tunnel to the server and not just traffic destined to a particular network. Also the VPN server will act as a proxy server between the user and the actual destination that the user wants to communicate.

Virtual Private LAN Services

Uptill now we used routing in VPN for connecting various sites and branches on the internet. In VPLS we will use bridging. Yes, it’s the same concept we used in traditional bridged network to extend a broadcast domain, with the only difference that the entire backbone, i.e. the WAN connection will act as our bridge. Now as we are performing bridging operations, MAC addresses are more important than IP addresses.

VPLS will allow us to perform unicast, multicast and broadcast communication within our virtual LAN which is extended over the WAN. To implement this we need to have a VPLS enabled service running at our network gateway. Same way a similar setup will be at other sites where we want to extend our LAN.

So let’s say we have a network 192.168.1.0/24 extended over 3 site such that IP 1-100 are at site 1, 101-170 are at site 2 and 171-254 are at site 3.

  • The VPLS application running at each branch will know about every MAC address in its branch.
  • For unknown MAC address, it will be tunneled using any existing tunneling protocol over to other sites. Based on the replies from other connected sites the VPLS application will learn the MAC addresses and its origins (the same way as a normal bridge would learn).
  • The unicast and multicast messages need not be forwarded over the WAN if source and destination devices are in the same site, but broadcast messages need to.

 

Layer 2 and layer 3 VPN

layer 2 vs layer 3 VPN

Layer 2 vs Layer 3 VPN

There has been a lot of buzz on whether to use a layer 3 VPN protocol or a layer 2 VPN protocol. There are lot of debates and comparisons on which is better.

Technically the difference is very small. What differentiates between a layer 2 and layer 3 VPN is whether in the actual data packet, we keep uptill layer 2 header or only uptill later 3 header. That’s it. This is the definitive difference between layer 2 and layer 3 VPN protocols.

So if the actual packet contained layer 2 header as well, it would be a layer 2 VPN. Or else it would be a layer 3 VPN.

Comments

comments